<% security_groups.each do |security_group| -%>
resource "aws_security_group" "<%= module_name_of(security_group) %>" {
    name        = "<%= security_group.group_name %>"
    description = "<%= security_group.description %>"
    vpc_id      = "<%= security_group.vpc_id || '' %>"

<% dedup_permissions(security_group.ip_permissions, security_group.group_id).each do |permission| -%>
  <%- security_groups = security_groups_in(permission, security_group).reject { |group_name| group_name == security_group.group_name }.reject { |group_id| group_id == security_group.group_id } -%>
    ingress {
        from_port       = <%= permission.from_port || 0 %>
        to_port         = <%= permission.to_port || 0 %>
        protocol        = "<%= permission.ip_protocol %>"
<%- if permission.prefix_list_ids.length > 0 -%>
        prefix_list_ids = <%= permission.prefix_list_ids.map { |range| range.prefix_list_id }.inspect %>
<%- end -%>
<%- if permission.ip_ranges.length > 0 -%>
        cidr_blocks     = <%= permission.ip_ranges.map { |range| range.cidr_ip }.inspect %>
<%- end -%>
<%- if permission.ipv_6_ranges.length > 0 -%>
        ipv6_cidr_blocks     = <%= permission.ipv_6_ranges.map { |range| range.cidr_ipv_6 }.inspect %>
<%- end -%>
<%- if permission.user_id_group_pairs.length > 0 -%>
  <%- self_referenced = self_referenced_permission?(security_group, permission) -%>
        security_groups = <%= security_groups.inspect %>
        self            = <%= self_referenced %>
<%- end -%>
    }

<% end -%>

<% dedup_permissions(security_group.ip_permissions_egress, security_group.group_id).each do |permission| -%>
    egress {
        from_port       = <%= permission.from_port || 0 %>
        to_port         = <%= permission.to_port || 0 %>
        protocol        = "<%= permission.ip_protocol %>"
<%- if permission.prefix_list_ids.length > 0 -%>
        prefix_list_ids = <%= permission.prefix_list_ids.map { |range| range.prefix_list_id }.inspect %>
<%- end -%>
<%- if permission.ip_ranges.length > 0 -%>
        cidr_blocks     = <%= permission.ip_ranges.map { |range| range.cidr_ip }.inspect %>
<%- end -%>
<%- if permission.ipv_6_ranges.length > 0 -%>
        ipv6_cidr_blocks     = <%= permission.ipv_6_ranges.map { |range| range.cidr_ipv_6 }.inspect %>
<%- end -%>
<%- if permission.user_id_group_pairs.length > 0 -%>
  <%- self_referenced = self_referenced_permission?(security_group, permission) -%>
        security_groups = <%= security_groups_in(permission, security_group).reject { |group_id| group_id == security_group.group_id }.inspect %>
        self            = <%= self_referenced %>
<%- end -%>
    }

<% end -%>
<% if security_group.tags.length > 0 -%>
    tags {
<% security_group.tags.each do |tag| -%>
        "<%= tag.key %>" = "<%= tag.value %>"
<% end -%>
    }
<% end -%>
}

<% end -%>
